Use of Hard-coded Cryptographic Key

Description

Applications that use cryptography need a method for managing keys. One of the simplest ways to store the keys is to hard-code them into the application. However, this approach is not secure, because anyone with access to the application code is able to recover the keys. Once an attacker has recovered the keys, they can use them to decrypt sensitive data. This vulnerability applies to all applications that use cryptography.

Impact

An attacker that has access to the application code is able to recover any hard-coded cryptographic keys. If the attacker gets access to the data encrypted with those keys, they will be able to decrypt them. The trouble is that if the attacker is able to get the encrypted data, they can probably get the application code as well. Therefore, using hard-coded cryptographic keys essentially defeats the purpose of using encryption in the first place.

Countermeasures

To prevent this vulnerability, provide a secure admin interface that allows for managing encryption keys, and use protected storage APIs to store the keys.

Application Check

To check for adequate protection against this vulnerability, ensure that a secure admin interface that allows for managing cryptographic keys is provided, and examine all code that uses encryption to ensure that encryption keys are stored using protected storage APIs.